Not long ago, SMEs didn’t believe cyber crime was an issue that affected them. It was a problem they thought was reserved for big corporates and multi-national firms who had a lot to lose. The common SME had nothing to worry about.
But recently there’s been a realisation that the SME is very much under threat, and to a much greater extent than most people thought.
In May 2013, the Federation of Small Business (FSB) claimed that cyber crime was costing SMEs £785m a year, while research from 2012 found that one in 10 SMEs had suffered a data breach.
The threat has successfully made it onto most SMEs’ agendas, at a time when cyber crime and cyber espionage are swirling throughout the press every single day.
In the last couple of weeks alone the chancellor pledged an extra £210 million towards cyber spend in his spending review. Defence secretary Philip Hammond warned that Britain could be hit by a devastating cyber attack from a rogue state, and urged Britain to launch its own attacks. Meanwhile, GCHQ director Sir Iain Lobban said Britain is seeing about 70 sophisticated cyber espionage operations a month against government or industry networks.
Threats to SMEs
But against this backdrop of cyber warfare and government action, what are the threats to SMEs, and what are they currently doing to counter them? And more importantly – what should they be doing?
The specific threats each SME faces will depend on the type of business it is. High-tech firms with valuable IP might find themselves subject to more covert and sophisticated operations and will need extra measures in place. Businesses that hold personal data will also attract the attention of miscreants and will have to prepare accordingly.
Broadly speaking, most SMEs won’t have the skills within the company to properly secure their infrastructures. A recent survey from the Institution of Engineering and Technology (IET) found that less than a third felt they had sufficient protection from the current threat landscape.
So what areas should SMEs be looking at specifically? Keeping a business secure is extremely difficult and is very much a moving target. Irrespective of this, there are certain areas businesses should evaluate and assess closely.
Firstly your internal network. How strict is your wireless access? Who has permission to install software, and how regularly do you backup critical systems?
Then there’s the internet-facing aspects of your network. How regularly are your internet connections and web applications vulnerability scanned or tested? Is your firewall properly maintained?
Devices and mobile technologies are another key area. Are all laptops and tablets encrypted? You need to consider the ways in which the hackers can get at your data. For example are employees using their own equipment to access corporate data or systems?
The hidden dangers of the supply chain must also be taken into account. How much access do external suppliers have to your data? Are you aware of security incidents that happen to trusted third parties? Cyber criminals long ago caught onto the fact that third party suppliers can provide an easy route into valuable data.
These are just a selection of the questions SMEs should be asking themselves – or using trusted advisors to do so.
Invest in security
Understandably, smaller businesses might not always have the cash reserves available to support the associated investment in defence. There’s a strong argument that says that one single data breach could cost a firm much more than their initial investment, but sometimes it simply isn’t possible to access the funds. In many cases though a significant improvement in cyber risk can be achieved at little or no expense.
There are other options, one being the slowly growing market for cyber insurance. Although not a direct alternative, an insurance policy can provide much needed help, especially ones that provide access to expertise prior to and – should the worst happen – after an incident. Recent research found that only 12% of businesses surveyed had invested in cyber insurance. With the frequency of cyber attacks increasing, it’s up to insurance providers to educate businesses as to the benefits – SMEs in particular.
This is a threat that isn’t going away any time soon and is only going to get worse. But SMEs shouldn’t shy away; they need to face up to this fact and take action to protect themselves, before they’re caught out.
Rob Cotton is CEO of NCC Group.
Share this story